title | platform |
---|---|
About the aws_lambda_permissions Resource |
aws |
Use the aws_lambda_permissions
InSpec audit resource to test properties of multiple AWS Lambda permissions.
The AWS::Lambda::Permission
resource grants an AWS service or another account permission to use a function. You can apply the policy at the function level, or specify a qualifier to restrict access to a single version or alias. If you use a qualifier, the invoker must use the full Amazon Resource Name (ARN) of that version or alias to invoke the function.
Ensure that permission has the desired statement id.
describe aws_lambda_permission(function_name: 'LAMBDA_FUNCTION_NAME') do
its('sids') { should include 'STATEMENT_ID' }
end
function_name
(required)
For additional information, see the AWS documentation on AWS Lambda permission.
Property | Description |
---|---|
sids | The statement ID of the function. |
effects | The effect of the function. |
principals | The AWS services or accounts that invokes the function. |
actions | The action of the function. |
resources | The resource ARNs of the function.. |
describe aws_lambda_permission(function_name: 'LAMBDA_FUNCTION_NAME') do
its('sids') { should include 'STATEMENT_ID' }
end
describe aws_lambda_permission(function_name: 'LAMBDA_FUNCTION_NAME') do
its('effects') { should include 'Allow' }
end
This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our Universal Matchers page.
The controls will pass if the get
method returns at least one result.
Your Principal will need the Lambda:Client:GetPolicyResponse
action with Effect
set to Allow
.